| ▲ | a2tech 2 hours ago | |||||||
AWS support seems to be struggling. I just came to help a new customer who had a rough severance with their previous key engineer. The root account password was documented, but the MFA went to his phone. We've tried talking to everyone we can, opening tickets, chats, trying to talk to their assigned account rep, etc, no one can remove the MFA. So right now luckily they have other admin accounts, but we straight up can't access their root account. We might have to nuke the entire environment and create a new account which is VERY lame considering they have a complicated and well established AWS account. | ||||||||
| ▲ | mhurron 27 minutes ago | parent | next [-] | |||||||
Amazons assistance for account issues to organizations if an employee did anything individually is honestly horrible. They treat it like the organization is attempting to commandeer someone else's account so all the privacy protections you expect for your own stuff is applied no matter how much you can prove it is not some other individuals account. The best part is the billing issues that arise from that. In your example, if the previous engineer logged into that account (because they can) and racked up huge costs, assuming that account is getting billed or can be tied to your client, Amazon will demand your client pay for them, while at the same time refusing to assist in getting access to the account because it's someone else's. They hold you responsible, but unable to act in a responsible manner. | ||||||||
| ▲ | kevin_thibedeau an hour ago | parent | prev | next [-] | |||||||
This is why you either issue corporate phones or key dongles. | ||||||||
| ▲ | NetMageSCW an hour ago | parent | prev | next [-] | |||||||
What happens when someone loses their phone? | ||||||||
| ||||||||
| ▲ | UltraSane 37 minutes ago | parent | prev [-] | |||||||
This is why you never use personal phones for MFA to critical accounts. | ||||||||